lst_ho...@kwsoft.de:
>
> Zitat von Wietse Venema <wie...@porcupine.org>:
>
> > lst_ho...@kwsoft.de:
> >> What is the way to go to take part of the feature development? I looks
> >> like we need a slight modification of the auth external as described.
> >
> > Mailin glist discussions.
> >
> > Eventually there will be a postfix-xxxx-nonprod release that combines
> > all the code (jay) and none of the guarantees (bleh).
> >
> > I am not convinced that stuffing arbitrary PKI identities into a
> > SASL identity is necessarily a good idea. Maybe it is safer to solve
> > this problem without PKI-to-SASL cross-talk.
>
> At least in my case no SASL would be needed. For me a
> relay_clientcerts able to list allowed validated CNs would be enough.
> The SASL stuff will be handy for tie a "identity" to certificates and
> assign additional rights/limits of course.
One SASL-less option that I can think of is check_cname_access: map
the CNAME to an action. Requires that the certificate is verified.
Would that work? Thius approach avoids the mixing of PKI identities
and SASL identities.
Implementation note: this would require that check_cname_access
looks up a quoted string if the CNAME contains spaces. The postnap
command understands quoted strings as of Postfix 3.2.
Wietse
